The Biometric Threat – Some Preventative Measures

We live in an age where personal information is difficult to protect, and passwords are far from unbreakable. Recently, IBM surveyed nearly 4,000 people and learned that 67% are comfortable using biometrics, and 87% would be comfortable using biometric authentication in the future. Millennials are particularly comfortable with biometric security, with 75% reporting that they’re at ease with today’s technology.

In fact, if you used a fingertip scan to log
into your phone to read this article, you just used biometrics to verify your
identity. From passwords to PINs to tokens, there are many ways we provide
credentials, but no method has grown in popularity more than biometrics.
Biometrics have steadily moved in to replace document-based identities such as
a driver’s license, physical credentials like swipe cards used for secure
building access, and especially the username/password system that’s been in use
since the dawn of the computer age.

Biometrics are also the future of background
checks. Instead of submitting documents and identity in person, you can enroll
your biometrics through several nationwide systems to instantly prove and
verify your identity. FBI channelers use biometrics for regulated purposes and
retrieve a criminal background check in near real-time. Fingerprints can even
now be used for on-the-spot
drug testing.

It’s a lot easier for a hacker to crack the
password you created that uses your dog’s name and your first child’s
birthdate, but biometrics aren’t immune to hacking. Dolls, masks, and false
faces can break some facial recognition systems. Philip Bontrager, a researcher
at NYU, created a fingerprint that combined the characteristics of many
fingerprints into one fake finger that contains multitudes — he calls this hack
the “DeepMasterPrint.”.

The DeepMasterPrint could be used to log into
devices with only a single fingerprint authentication routine, such as a
smartphone, a tablet or even your home security system. What Bontrager did here
was simply prove the obvious: Biometrics are hackable.

The Security Cold War

If you’re paying attention to the history of
hacking security mechanisms, we all know how this story goes. Here’s the
pattern of the security cold war:

A secure system is hacked through one extremely complicated exploit, explained by academics.

Security experts demonstrate solutions to the first hack and create an ongoing set of solutions designed to circumvent the first hack. Many consumers ignore this fix.

Professional state actors or black hats use the same general method to hack unprotected systems, raising the bar on security professionals and system protection.

Unfortunately, their efforts often go for naught as the original hack is replicated by script kiddies and used voluminously to steal identities, money and goods.

Eventually, we end up in a place where complicated solutions exist to prevent the original hack and all hacks that emerged out of the same system weakness.

The matrix above has been replicated across
multiple systems and functions over time. Right now, with biometric-based
identity, we are at the early stage (1), and I’m here to provide stage (2) —
the security expert explains the need for protection and demonstrates a set of
solutions. If people don’t ignore this set of fixes, it’s unlikely we’ll
have to live in a world brought about by steps 3-5.

There are three critical behaviors that can
almost entirely mitigate the threat exposed by the new biometric exploits.
These three best practices can help mitigate the problem of biometric
vulnerabilities for organizations who require secure identification and
authentication.

Enroll at high fidelity

One low-fidelity biometric (like those used by
smartphone scanners) isn’t satisfactory for high-security authentication.
Enroll multiple fingerprints through a high-fidelity enrollment mechanism like
a certified FBI channeler. This group of companies enrolls at a much higher
standard of fidelity than those exploited in the DeepMasterPrint hack.

If you are using facial geometry and iris scans
for access or identity, then it is equally important to use a high fidelity
system to enroll the faces you wish to recognize. Enroll with many points, and
then you can easily cross-check at low fidelity with a great deal of assurance
of valid identity.

Use multi-factor biometric solutions

Even better, use a system that enrolls not only
fingerprints, but also enrolls facial geometry and/or iris scans. In a later
verification scenario, if the fingerprints match the face, and the face matches
the documents, you have a multi-factor identity which is hard to hack.

Multi-factor authentication combines several
factors like multiple fingerprints, facial recognition, or voice recognition.
Don’t just use one type of biometric — ensure that both the eyes, and the
fingers and the palm print all belong to the same person. A single finger on a
pad or a single face read by a camera shouldn’t be enough to grant access to
any high-security device, software, or facility.

Put a human being in the loop

Machine learning and AI can only take you so far
in terms of protecting your assets or your facility. A person is often the
ultimate biometric checking device.

Don’t rely on an autonomous system to proof
check biometric identity. Instead, have a real person show up and check the identity.
Having a person involved in real-time increases security and adds
accountability.

The Future of Biometric Hacks

Any identity-proofing technology in its early
deployment stages is prone to security exploits. But it’s worth noting that
most of the rest of the threat matrix doesn’t apply to the case of biometrics
when they are used comprehensively and in a manner that cross-references each
other.

That’s because biometrics are a fundamentally
different class of identity proofing and are a magnitude harder to replicate
and deploy at scale. Creating fake fingertips for every human being on earth is
an astronomically hard problem, and creating fake irises and fake faces is
arguably even harder.

When used in combination as a multi-factor identity, enrolled at high fidelity, biometrics provide a safeguard against identity hacks that remains nearly unassailable.